Installation and Setup

To set up this app correctly, we’ll install Splunk’s “Universal Forwarder” on the host where ObserveIT Enterprise or ObserveIT Xpress is running. Also, we’ll configure that “Universal Forwarder” to forward the data in real-time from that host to Splunk.

We will make some assumptions as follows:

You have already installed Splunk Enterprise (Note that the ObserveIT Connector app does not work with Splunk Light).

You want to set up the solution to have the data coming in in real-time. (If instead you prefer to batch-load some data, this is quite easy but contact Sideview for assistance.

You are using distributed search in Splunk, ie that you have one or more Splunk Indexer instances. ( If instead you are setting up the solution to run on only a single standalone Splunk Server, you can skip everything that is talking about the “TA” app and simply configure the UF to point directly to your single instance).

You have only one “Search Head” instance. ( If instead you are using Search Head Clustering, that is fine but be aware that everything we say to deploy to the Search Head will have to be deployed to the Search Head Cluster instead).

Install the main apps
Log into the Splunk user interface on your Search Head as an admin user. In the Apps menu at the top left, select “Manage Apps”, then on the next page click “Install App From File”. Using the form on the next page upload the two *.spl files one by one (the order does not matter). After the second app is uploaded, follow the prompt to restart the Splunk server. If you have an older copy of Sideview Utils installed, make sure check the “upgrade app” checkbox or Splunk may give you a strange error.

install the Universal Forwarder
Familiarize yourself with the documentation for Splunk’s Universal Forwarder if you haven’t already. If you use Splunk’s MSI Installer to install the UF, make sure that you do NOT tell the installer where the data is located yet. Simply install the UF for now and don’t configure it to look at the data yet.

Install the TA app on indexers and forwarders
Find the observeit.spl file that you downloaded. Despite the spl extension this is just a “tar.gz” file so you can rename it to observeit.tar.gz, and/or unzip it with your program of choice. Once you have it unzipped, look inside. At the top level of the “observeit” directory you will see a “TA_observeit” directory. This is actually a whole other “TA” app hiding in here dormant. (If you’re unfamiliar with Splunk’s “TA” convention this basically means it’s a tiny app you need to deploy to forwarding and indexing tiers. )

Deploy this TA app out to *all* indexers and to the forwarder by your method of choice.
(Note that The full “observeit” app itself should ONLY go on Search Head Instances. Likewise the TA app should NOT be installed on the Search Head.)

Once you have the TA app sitting at $SPLUNK_HOME/etc/apps/TA_observeit on the forwarder, and you’ve restarted both the indexers and the forwarder, you can proceed.

Configure the forwarder to forward to your indexers
If you’re an experienced Splunk admin this will be easy, but if not the Splunk docs are here.

Configure the forwarder to read the ObserveIT logs
Verify that the ObserveIT logs are located at: C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\3\* If they appear to be somewhere else, note the location.

On the command line of the UF host, change directory to the directory where Splunk is installed, and then to the bin subdirectory. Ie “C:\Program Files\SplunkUniversalForwarder\bin.

Note the sourcetype and index values are case sensitive to be sure to enter them exactly as shown here.

OPTIONAL Those two above are by far the most important, but while you’re here you can also add data inputs for these other 6 optional sourcetypes. Note that they are much lower volume so there’s not much harm adding them now.